* [PATCH v4 0/2] ima: measure write on securityfs policy file
@ 2026-06-17 15:58 Enrico Bravi
2026-06-17 15:58 ` [PATCH v4 1/2] ima: measure loaded policy after " Enrico Bravi
2026-06-17 15:58 ` [PATCH v4 2/2] ima: measure buffer sent to " Enrico Bravi
0 siblings, 2 replies; 11+ messages in thread
From: Enrico Bravi @ 2026-06-17 15:58 UTC (permalink / raw)
To: linux-integrity, zohar, dmitry.kasatkin, roberto.sassu
Cc: eric.snowberg, Enrico Bravi
This series aims to introduce integrity measurements when the IMA policy is
written on the securityfs file.
In particular, when a signed policy is not mandatory, it can be written
directly on the securityfs file. This allows to override the boot policy
at the first write, and append new policy rules at the subsequent writes (if
CONFIG_IMA_WRITE_POLICY=y). In this case new policy can be loaded
without being measured.
The patch #1 introduces a new critical-data record for the newly loaded
policy. The measurement is performed over the textual representation of the
new policy once it becomes effective (after ima_update_policy()). As
suggested by Mimi, the new critical-data rule is added to the arch
specific policy rules (only when a signed policy is not mandatory).
The patch #2, following what was suggested by Roberto, measures the input
buffer sent to the securityfs policy file, regardless of whether the new
policy will be accepted or not. This is done by calling
process_buffer_measurement(), enabling POLICY_CHECK in ima_match_rules() and
ima_match_rule_data() in order to catch it when 'measure func=POLICY_CHECK'
is defined (e.g., ima_policy=tcb).
Changes in v4:
- Added kernel-doc for the new ima_measure_loaded_policy() function as
suggested by Mimi.
- Increased the rule buffer size in ima_measure_loaded_policy() (suggested
by Mimi) checking if seq_has_overflowed() calculating the policy length.
- Acquire ima_write_mutex in before calling ima_measure_loaded_policy()
and verify lockdep_assert_held(&ima_write_mutex) as suggested by Mimi.
- Initialize file_len to zero in ima_measure_loaded_policy() as
suggested by Mimi.
- Changed ima_measure_policy_buf() returned error from -ENOPARAM to
-EINVAL as suggested by Mimi.
- Changed event name from "ima_write_policy_buf" to "ima_policy_written"
as suggested by Mimi.
- Updated patches description.
Changes in v3:
- Include the newly defined critical-data rule only if a signed policy is
not mandatory as suggested by Mimi.
- Removed the ima_policy_text_len() function as suggested by Mimi.
- Moved policy input buffer measurement from process_measurement() to
process_buffer_measurement() as suggested by Mimi.
- Changed ima_measure_policy_write() function name to ima_measure_policy_buf()
as suggested by Mimi.
- Updated patches description.
Changes in v2:
- Set a new critical-data rule for measuring the loaded IMA policy.
- Add the new critical-data rule to the specific arch policy rules.
- Add patch #2 for measuring the input buffer sent to the securityfs
policy file.
Enrico Bravi (2):
ima: measure loaded policy after write on securityfs policy file
ima: measure buffer sent to securityfs policy file
security/integrity/ima/ima.h | 4 ++
security/integrity/ima/ima_efi.c | 2 +
security/integrity/ima/ima_fs.c | 7 ++-
security/integrity/ima/ima_main.c | 19 ++++++++
security/integrity/ima/ima_policy.c | 73 ++++++++++++++++++++++++++++-
5 files changed, 102 insertions(+), 3 deletions(-)
base-commit: 8cd9520d35a6c38db6567e97dd93b1f11f185dc6
--
2.52.0
^ permalink raw reply [flat|nested] 11+ messages in thread
* [PATCH v4 1/2] ima: measure loaded policy after write on securityfs policy file
2026-06-17 15:58 [PATCH v4 0/2] ima: measure write on securityfs policy file Enrico Bravi
@ 2026-06-17 15:58 ` Enrico Bravi
2026-06-24 20:35 ` Mimi Zohar
2026-06-17 15:58 ` [PATCH v4 2/2] ima: measure buffer sent to " Enrico Bravi
1 sibling, 1 reply; 11+ messages in thread
From: Enrico Bravi @ 2026-06-17 15:58 UTC (permalink / raw)
To: linux-integrity, zohar, dmitry.kasatkin, roberto.sassu
Cc: eric.snowberg, Enrico Bravi
IMA policy can be written multiple times in the securityfs policy file
at runtime if CONFIG_IMA_WRITE_POLICY=y. When IMA_APPRAISE_POLICY is
required, the policy needs to be signed to be loaded, writing the absolute
path of the file containing the new policy:
echo /path/of/custom_ima_policy > /sys/kernel/security/ima/policy
When this is not required, policy can be written directly, rule by rule:
echo -e "measure func=BPRM_CHECK mask=MAY_EXEC\n" \
"audit func=BPRM_CHECK mask=MAY_EXEC\n" \
> /sys/kernel/security/ima/policy
In this case, a new policy can be loaded without being measured or
appraised.
Add a new critical data record to measure the textual policy
representation when it becomes effective. Include in the
architecture-specific policy the new critical data record only when it
is not mandatory to load a signed policy. Additionally, enable the
policy serialization code even when CONFIG_IMA_READ_POLICY=n.
To verify the template data hash value, convert the buffer policy data
to binary:
grep "ima_policy_loaded" \
/sys/kernel/security/integrity/ima/ascii_runtime_measurements | \
tail -1 | cut -d' ' -f 6 | xxd -r -p | sha256sum
Signed-off-by: Enrico Bravi <enrico.bravi@polito.it>
---
security/integrity/ima/ima.h | 3 ++
security/integrity/ima/ima_efi.c | 2 +
security/integrity/ima/ima_fs.c | 6 ++-
security/integrity/ima/ima_policy.c | 70 ++++++++++++++++++++++++++++-
4 files changed, 78 insertions(+), 3 deletions(-)
diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
index 69e9bf0b82c6..befa221716e5 100644
--- a/security/integrity/ima/ima.h
+++ b/security/integrity/ima/ima.h
@@ -46,6 +46,8 @@ enum tpm_pcrs { TPM_PCR0 = 0, TPM_PCR8 = 8, TPM_PCR10 = 10 };
/* current content of the policy */
extern int ima_policy_flag;
+extern struct mutex ima_write_mutex;
+
/* bitset of digests algorithms allowed in the setxattr hook */
extern atomic_t ima_setxattr_allowed_hash_algorithms;
@@ -452,6 +454,7 @@ void *ima_policy_start(struct seq_file *m, loff_t *pos);
void *ima_policy_next(struct seq_file *m, void *v, loff_t *pos);
void ima_policy_stop(struct seq_file *m, void *v);
int ima_policy_show(struct seq_file *m, void *v);
+void ima_measure_loaded_policy(void);
/* Appraise integrity measurements */
#define IMA_APPRAISE_ENFORCE 0x01
diff --git a/security/integrity/ima/ima_efi.c b/security/integrity/ima/ima_efi.c
index bca57d836cb9..be7911009454 100644
--- a/security/integrity/ima/ima_efi.c
+++ b/security/integrity/ima/ima_efi.c
@@ -17,6 +17,8 @@ static const char * const sb_arch_rules[] = {
#endif
#if IS_ENABLED(CONFIG_INTEGRITY_MACHINE_KEYRING) && IS_ENABLED(CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY)
"appraise func=POLICY_CHECK appraise_type=imasig",
+#else
+ "measure func=CRITICAL_DATA label=ima_policy",
#endif
"measure func=MODULE_CHECK",
NULL
diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_fs.c
index ca4931a95098..65e7812c702f 100644
--- a/security/integrity/ima/ima_fs.c
+++ b/security/integrity/ima/ima_fs.c
@@ -24,7 +24,7 @@
#include "ima.h"
-static DEFINE_MUTEX(ima_write_mutex);
+DEFINE_MUTEX(ima_write_mutex);
bool ima_canonical_fmt;
static int __init default_canonical_fmt_setup(char *str)
@@ -478,6 +478,10 @@ static int ima_release_policy(struct inode *inode, struct file *file)
}
ima_update_policy();
+
+ mutex_lock(&ima_write_mutex);
+ ima_measure_loaded_policy();
+ mutex_unlock(&ima_write_mutex);
#if !defined(CONFIG_IMA_WRITE_POLICY) && !defined(CONFIG_IMA_READ_POLICY)
securityfs_remove(file->f_path.dentry);
#elif defined(CONFIG_IMA_WRITE_POLICY)
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index f7f940a76922..0a70d10da70a 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -17,6 +17,7 @@
#include <linux/slab.h>
#include <linux/rculist.h>
#include <linux/seq_file.h>
+#include <linux/vmalloc.h>
#include <linux/ima.h>
#include "ima.h"
@@ -2020,7 +2021,6 @@ const char *const func_tokens[] = {
__ima_hooks(__ima_hook_stringify)
};
-#ifdef CONFIG_IMA_READ_POLICY
enum {
mask_exec = 0, mask_write, mask_read, mask_append
};
@@ -2322,7 +2322,6 @@ int ima_policy_show(struct seq_file *m, void *v)
seq_puts(m, "\n");
return 0;
}
-#endif /* CONFIG_IMA_READ_POLICY */
#if defined(CONFIG_IMA_APPRAISE) && defined(CONFIG_INTEGRITY_TRUSTED_KEYRING)
/*
@@ -2379,3 +2378,70 @@ bool ima_appraise_signature(enum kernel_read_file_id id)
return found;
}
#endif /* CONFIG_IMA_APPRAISE && CONFIG_INTEGRITY_TRUSTED_KEYRING */
+
+/**
+* ima_measure_loaded_policy - measure the active IMA policy ruleset
+*
+* Must be called with ima_write_mutex held, as it performs two
+* separate RCU read passes over ima_rules and relies on the mutex
+* to prevent concurrent policy updates between them.
+*/
+void ima_measure_loaded_policy(void)
+{
+ const char *event_name = "ima_policy_loaded";
+ const char *op = "measure_loaded_ima_policy";
+ struct ima_rule_entry *rule_entry;
+ struct list_head *ima_rules_tmp;
+ struct seq_file file;
+ int result = -ENOMEM;
+ size_t file_len = 0;
+ char rule[512];
+
+ /* calculate IMA policy rules memory size */
+ file.buf = rule;
+ file.read_pos = 0;
+ file.size = 512;
+ file.count = 0;
+
+ lockdep_assert_held(&ima_write_mutex);
+
+ rcu_read_lock();
+ ima_rules_tmp = rcu_dereference(ima_rules);
+ list_for_each_entry_rcu(rule_entry, ima_rules_tmp, list) {
+ ima_policy_show(&file, rule_entry);
+ if (seq_has_overflowed(&file)) {
+ result = -E2BIG;
+ integrity_audit_msg(AUDIT_INTEGRITY_PCR, NULL, event_name,
+ op, "rule_length", result, 1);
+ return;
+ }
+
+ file_len += file.count;
+ file.count = 0;
+ }
+ rcu_read_unlock();
+
+ /* copy IMA policy rules to a buffer for measuring */
+ file.buf = vmalloc(file_len);
+ if (!file.buf) {
+ integrity_audit_msg(AUDIT_INTEGRITY_PCR, NULL, event_name,
+ op, "ENOMEM", result, 1);
+ return;
+ }
+
+ file.read_pos = 0;
+ file.size = file_len;
+ file.count = 0;
+
+ rcu_read_lock();
+ ima_rules_tmp = rcu_dereference(ima_rules);
+ list_for_each_entry_rcu(rule_entry, ima_rules_tmp, list) {
+ ima_policy_show(&file, rule_entry);
+ }
+ rcu_read_unlock();
+
+ ima_measure_critical_data("ima_policy", event_name, file.buf,
+ file.count, false, NULL, 0);
+
+ vfree(file.buf);
+}
--
2.52.0
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [PATCH v4 2/2] ima: measure buffer sent to securityfs policy file
2026-06-17 15:58 [PATCH v4 0/2] ima: measure write on securityfs policy file Enrico Bravi
2026-06-17 15:58 ` [PATCH v4 1/2] ima: measure loaded policy after " Enrico Bravi
@ 2026-06-17 15:58 ` Enrico Bravi
2026-06-25 1:05 ` Mimi Zohar
1 sibling, 1 reply; 11+ messages in thread
From: Enrico Bravi @ 2026-06-17 15:58 UTC (permalink / raw)
To: linux-integrity, zohar, dmitry.kasatkin, roberto.sassu
Cc: eric.snowberg, Enrico Bravi
When a signed policy is not mandatory, it is possible to write the IMA
policy directly on the corresponding securityfs file:
echo -e "measure func=BPRM_CHECK mask=MAY_EXEC\n" \
"audit func=BPRM_CHECK mask=MAY_EXEC\n" \
> /sys/kernel/security/ima/policy
or by cat'ing the entire IMA custom policy file:
cat ima-policy-file > /sys/kernel/security/ima/policy
Add input buffer measurement, regardless of whether the new policy
will be accepted or not, that can be caught when
'measure func=POLICY_CHECK' is enabled (e.g., ima_policy=tcb). The
measurement template is forced to ima-buf.
This follows the "measure & load" paradigm, exposing potential bugs in
the policy code and detecting attempts to corrupt IMA. It also completes
the POLICY_CHECK hook, which already measures partial policy load by file.
To verify the template data hash value, convert the buffer policy data
to binary:
grep "ima_policy_written" \
/sys/kernel/security/integrity/ima/ascii_runtime_measurements | \
tail -1 | cut -d' ' -f 6 | xxd -r -p | sha256sum
Suggested-by: Roberto Sassu <roberto.sassu@huawei.com>
Signed-off-by: Enrico Bravi <enrico.bravi@polito.it>
---
security/integrity/ima/ima.h | 1 +
security/integrity/ima/ima_fs.c | 1 +
security/integrity/ima/ima_main.c | 19 +++++++++++++++++++
security/integrity/ima/ima_policy.c | 3 +++
4 files changed, 24 insertions(+)
diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
index befa221716e5..d477fc06821f 100644
--- a/security/integrity/ima/ima.h
+++ b/security/integrity/ima/ima.h
@@ -455,6 +455,7 @@ void *ima_policy_next(struct seq_file *m, void *v, loff_t *pos);
void ima_policy_stop(struct seq_file *m, void *v);
int ima_policy_show(struct seq_file *m, void *v);
void ima_measure_loaded_policy(void);
+int ima_measure_policy_buf(const char *buf, size_t buf_len);
/* Appraise integrity measurements */
#define IMA_APPRAISE_ENFORCE 0x01
diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_fs.c
index 65e7812c702f..a277c9135944 100644
--- a/security/integrity/ima/ima_fs.c
+++ b/security/integrity/ima/ima_fs.c
@@ -356,6 +356,7 @@ static ssize_t ima_write_policy(struct file *file, const char __user *buf,
1, 0);
result = -EACCES;
} else {
+ ima_measure_policy_buf(data, datalen);
result = ima_parse_add_rule(data);
}
mutex_unlock(&ima_write_mutex);
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index 5cea53fc36df..599495304712 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -1221,6 +1221,25 @@ int ima_measure_critical_data(const char *event_label,
}
EXPORT_SYMBOL_GPL(ima_measure_critical_data);
+/**
+ * ima_measure_policy_buf - Measure the policy write buffer
+ * @buf: pointer to the buffer containing the policy write data
+ * @buf_len: size of the buffer
+ *
+ * Measure the buffer sent to the IMA policy securityfs file.
+ *
+ * Return 0 on success, a negative value otherwise.
+ */
+int ima_measure_policy_buf(const char *buf, size_t buf_len)
+{
+ if (!buf || !buf_len)
+ return -EINVAL;
+
+ return process_buffer_measurement(&nop_mnt_idmap, NULL, buf, buf_len,
+ "ima_policy_written", POLICY_CHECK, 0,
+ NULL, false, NULL, 0);
+}
+
#ifdef CONFIG_INTEGRITY_ASYMMETRIC_KEYS
/**
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index 0a70d10da70a..fc747f391e41 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -541,6 +541,8 @@ static bool ima_match_rule_data(struct ima_rule_entry *rule,
opt_list = rule->label;
break;
+ case POLICY_CHECK:
+ return true;
default:
return false;
}
@@ -589,6 +591,7 @@ static bool ima_match_rules(struct ima_rule_entry *rule,
switch (func) {
case KEY_CHECK:
case CRITICAL_DATA:
+ case POLICY_CHECK:
return ((rule->func == func) &&
ima_match_rule_data(rule, func_data, cred));
default:
--
2.52.0
^ permalink raw reply related [flat|nested] 11+ messages in thread
* Re: [PATCH v4 1/2] ima: measure loaded policy after write on securityfs policy file
2026-06-17 15:58 ` [PATCH v4 1/2] ima: measure loaded policy after " Enrico Bravi
@ 2026-06-24 20:35 ` Mimi Zohar
2026-06-25 14:17 ` Mimi Zohar
2026-06-26 9:32 ` Enrico Bravi
0 siblings, 2 replies; 11+ messages in thread
From: Mimi Zohar @ 2026-06-24 20:35 UTC (permalink / raw)
To: Enrico Bravi, linux-integrity, dmitry.kasatkin, roberto.sassu
Cc: eric.snowberg
The Subject line needs to be written from a higher perspective. It describes
"how", not "what".
Consider using "ima: add critical data measurement for loaded policy".
On Wed, 2026-06-17 at 17:58 +0200, Enrico Bravi wrote:
> IMA policy can be written multiple times in the securityfs policy file
> at runtime if CONFIG_IMA_WRITE_POLICY=y. When IMA_APPRAISE_POLICY is
> required, the policy needs to be signed to be loaded, writing the absolute
> path of the file containing the new policy:
>
> echo /path/of/custom_ima_policy > /sys/kernel/security/ima/policy
>
> When this is not required, policy can be written directly, rule by rule:
>
> echo -e "measure func=BPRM_CHECK mask=MAY_EXEC\n" \
> "audit func=BPRM_CHECK mask=MAY_EXEC\n" \
> > /sys/kernel/security/ima/policy
>
> In this case, a new policy can be loaded without being measured or
> appraised.
>
> Add a new critical data record to measure the textual policy
> representation when it becomes effective. Include in the
> architecture-specific policy the new critical data record only when it
> is not mandatory to load a signed policy. Additionally, enable the
> policy serialization code even when CONFIG_IMA_READ_POLICY=n.
>
> To verify the template data hash value, convert the buffer policy data
> to binary:
> grep "ima_policy_loaded" \
> /sys/kernel/security/integrity/ima/ascii_runtime_measurements | \
> tail -1 | cut -d' ' -f 6 | xxd -r -p | sha256sum
>
> Signed-off-by: Enrico Bravi <enrico.bravi@polito.it>
Thank you for making the changes.
[ ... ]
> diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
> index f7f940a76922..0a70d10da70a 100644
> --- a/security/integrity/ima/ima_policy.c
> +++ b/security/integrity/ima/ima_policy.c
> @@ -2379,3 +2378,70 @@ bool ima_appraise_signature(enum kernel_read_file_id id)
> return found;
> }
> #endif /* CONFIG_IMA_APPRAISE && CONFIG_INTEGRITY_TRUSTED_KEYRING */
> +
> +/**
> +* ima_measure_loaded_policy - measure the active IMA policy ruleset
> +*
> +* Must be called with ima_write_mutex held, as it performs two
> +* separate RCU read passes over ima_rules and relies on the mutex
> +* to prevent concurrent policy updates between them.
> +*/
> +void ima_measure_loaded_policy(void)
> +{
> + const char *event_name = "ima_policy_loaded";
> + const char *op = "measure_loaded_ima_policy";
> + struct ima_rule_entry *rule_entry;
> + struct list_head *ima_rules_tmp;
> + struct seq_file file;
> + int result = -ENOMEM;
> + size_t file_len = 0;
> + char rule[512];
> +
> + /* calculate IMA policy rules memory size */
> + file.buf = rule;
> + file.read_pos = 0;
> + file.size = 512;
> + file.count = 0;
> +
> + lockdep_assert_held(&ima_write_mutex);
> +
> + rcu_read_lock();
> + ima_rules_tmp = rcu_dereference(ima_rules);
> + list_for_each_entry_rcu(rule_entry, ima_rules_tmp, list) {
> + ima_policy_show(&file, rule_entry);
> + if (seq_has_overflowed(&file)) {
> + result = -E2BIG;
> + integrity_audit_msg(AUDIT_INTEGRITY_PCR, NULL, event_name,
> + op, "rule_length", result, 1);
> + return;
On failure the new IMA policy will not be measured. Instead of hard coding the
buffer to 512, define a file static global variable to keep track of the maximum
policy rule size. ima_parse_add_rule() already returns the policy rule length.
Before returning update the max policy rule size variable as necessary.
Here in ima_measure_loaded_policy() allocate/free the buffer.
Missing rcu_read_unlock() before returning.
thanks,
Mimi
> + }
> +
> + file_len += file.count;
> + file.count = 0;
> + }
> + rcu_read_unlock();
> +
> + /* copy IMA policy rules to a buffer for measuring */
> + file.buf = vmalloc(file_len);
> + if (!file.buf) {
> + integrity_audit_msg(AUDIT_INTEGRITY_PCR, NULL, event_name,
> + op, "ENOMEM", result, 1);
> + return;
> + }
> +
> + file.read_pos = 0;
> + file.size = file_len;
> + file.count = 0;
> +
> + rcu_read_lock();
> + ima_rules_tmp = rcu_dereference(ima_rules);
> + list_for_each_entry_rcu(rule_entry, ima_rules_tmp, list) {
> + ima_policy_show(&file, rule_entry);
> + }
> + rcu_read_unlock();
> +
> + ima_measure_critical_data("ima_policy", event_name, file.buf,
> + file.count, false, NULL, 0);
> +
> + vfree(file.buf);
> +}
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH v4 2/2] ima: measure buffer sent to securityfs policy file
2026-06-17 15:58 ` [PATCH v4 2/2] ima: measure buffer sent to " Enrico Bravi
@ 2026-06-25 1:05 ` Mimi Zohar
2026-06-29 9:26 ` Enrico Bravi
0 siblings, 1 reply; 11+ messages in thread
From: Mimi Zohar @ 2026-06-25 1:05 UTC (permalink / raw)
To: Enrico Bravi, linux-integrity, dmitry.kasatkin, roberto.sassu
Cc: eric.snowberg
The Subject line describes "how", not "what". Consider renaming it to "ima:
measure userspace policy writes before parsing".
On Wed, 2026-06-17 at 17:58 +0200, Enrico Bravi wrote:
> When a signed policy is not mandatory, it is possible to write the IMA
> policy directly on the corresponding securityfs file:
When a signed policy is not mandatory, userspace can write IMA policy rules
directly to the securityfs policy file:
>
> echo -e "measure func=BPRM_CHECK mask=MAY_EXEC\n" \
> "audit func=BPRM_CHECK mask=MAY_EXEC\n" \
> > /sys/kernel/security/ima/policy
>
> or by cat'ing the entire IMA custom policy file:
>
> cat ima-policy-file > /sys/kernel/security/ima/policy
Because these rules originate from userspace and cross the userspace/kernel
trust boundary, measure the raw write buffer before parsing.
>
> Add input buffer measurement, regardless of whether the new policy
> will be accepted or not, that can be caught when
> 'measure func=POLICY_CHECK' is enabled (e.g., ima_policy=tcb). The
> measurement template is forced to ima-buf.
> This follows the "measure & load" paradigm, exposing potential bugs in
> the policy code and detecting attempts to corrupt IMA. It also completes
> the POLICY_CHECK hook, which already measures partial policy load by file.
>
> To verify the template data hash value, convert the buffer policy data
> to binary:
> grep "ima_policy_written" \
> /sys/kernel/security/integrity/ima/ascii_runtime_measurements | \
> tail -1 | cut -d' ' -f 6 | xxd -r -p | sha256sum
>
> Suggested-by: Roberto Sassu <roberto.sassu@huawei.com>
> Signed-off-by: Enrico Bravi <enrico.bravi@polito.it>
> ---
> security/integrity/ima/ima.h | 1 +
> security/integrity/ima/ima_fs.c | 1 +
> security/integrity/ima/ima_main.c | 19 +++++++++++++++++++
> security/integrity/ima/ima_policy.c | 3 +++
> 4 files changed, 24 insertions(+)
>
> diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
> index befa221716e5..d477fc06821f 100644
> --- a/security/integrity/ima/ima.h
> +++ b/security/integrity/ima/ima.h
> @@ -455,6 +455,7 @@ void *ima_policy_next(struct seq_file *m, void *v, loff_t *pos);
> void ima_policy_stop(struct seq_file *m, void *v);
> int ima_policy_show(struct seq_file *m, void *v);
> void ima_measure_loaded_policy(void);
> +int ima_measure_policy_buf(const char *buf, size_t buf_len);
>
> /* Appraise integrity measurements */
> #define IMA_APPRAISE_ENFORCE 0x01
> diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_fs.c
> index 65e7812c702f..a277c9135944 100644
> --- a/security/integrity/ima/ima_fs.c
> +++ b/security/integrity/ima/ima_fs.c
> @@ -356,6 +356,7 @@ static ssize_t ima_write_policy(struct file *file, const char __user *buf,
> 1, 0);
> result = -EACCES;
> } else {
> + ima_measure_policy_buf(data, datalen);
Should failure to measure the input policy rules be audited?
> result = ima_parse_add_rule(data);
> }
> mutex_unlock(&ima_write_mutex);
> diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
> index 5cea53fc36df..599495304712 100644
> --- a/security/integrity/ima/ima_main.c
> +++ b/security/integrity/ima/ima_main.c
> @@ -1221,6 +1221,25 @@ int ima_measure_critical_data(const char *event_label,
> }
> EXPORT_SYMBOL_GPL(ima_measure_critical_data);
>
> +/**
> + * ima_measure_policy_buf - Measure the policy write buffer
Consider renaming this function to ima_measure_policy_input(), which parallels
the function ima_measure_loaded_policy() in the first patch.
Mimi
> + * @buf: pointer to the buffer containing the policy write data
> + * @buf_len: size of the buffer
> + *
> + * Measure the buffer sent to the IMA policy securityfs file.
> + *
> + * Return 0 on success, a negative value otherwise.
> + */
> +int ima_measure_policy_buf(const char *buf, size_t buf_len)
> +{
> + if (!buf || !buf_len)
> + return -EINVAL;
> +
> + return process_buffer_measurement(&nop_mnt_idmap, NULL, buf, buf_len,
> + "ima_policy_written", POLICY_CHECK, 0,
> + NULL, false, NULL, 0);
> +}
> +
> #ifdef CONFIG_INTEGRITY_ASYMMETRIC_KEYS
>
> /**
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH v4 1/2] ima: measure loaded policy after write on securityfs policy file
2026-06-24 20:35 ` Mimi Zohar
@ 2026-06-25 14:17 ` Mimi Zohar
2026-06-26 9:36 ` Enrico Bravi
2026-06-26 9:32 ` Enrico Bravi
1 sibling, 1 reply; 11+ messages in thread
From: Mimi Zohar @ 2026-06-25 14:17 UTC (permalink / raw)
To: Enrico Bravi, linux-integrity, dmitry.kasatkin, roberto.sassu
Cc: eric.snowberg
On Wed, 2026-06-24 at 16:35 -0400, Mimi Zohar wrote:
[...]
> > diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
> > index f7f940a76922..0a70d10da70a 100644
> > --- a/security/integrity/ima/ima_policy.c
> > +++ b/security/integrity/ima/ima_policy.c
>
> > @@ -2379,3 +2378,70 @@ bool ima_appraise_signature(enum kernel_read_file_id id)
> > return found;
> > }
> > #endif /* CONFIG_IMA_APPRAISE && CONFIG_INTEGRITY_TRUSTED_KEYRING */
> > +
> > +/**
> > +* ima_measure_loaded_policy - measure the active IMA policy ruleset
> > +*
> > +* Must be called with ima_write_mutex held, as it performs two
> > +* separate RCU read passes over ima_rules and relies on the mutex
> > +* to prevent concurrent policy updates between them.
> > +*/
Hi Enrico,
I forgot to mention that the kernel-doc formatting is off. Refer to
checkpatch.pl for the details. Either change it to a regular comment or format
it properly.
thanks,
Mimi
>
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH v4 1/2] ima: measure loaded policy after write on securityfs policy file
2026-06-24 20:35 ` Mimi Zohar
2026-06-25 14:17 ` Mimi Zohar
@ 2026-06-26 9:32 ` Enrico Bravi
2026-06-26 13:37 ` Mimi Zohar
1 sibling, 1 reply; 11+ messages in thread
From: Enrico Bravi @ 2026-06-26 9:32 UTC (permalink / raw)
To: roberto.sassu@huawei.com, linux-integrity@vger.kernel.org,
zohar@linux.ibm.com, dmitry.kasatkin@gmail.com
Cc: eric.snowberg@oracle.com
Hi Mimi,
On Wed, 2026-06-24 at 16:35 -0400, Mimi Zohar wrote:
> The Subject line needs to be written from a higher perspective. It describes
> "how", not "what".
> Consider using "ima: add critical data measurement for loaded policy".
yes, will change it.
> On Wed, 2026-06-17 at 17:58 +0200, Enrico Bravi wrote:
> > IMA policy can be written multiple times in the securityfs policy file
> > at runtime if CONFIG_IMA_WRITE_POLICY=y. When IMA_APPRAISE_POLICY is
> > required, the policy needs to be signed to be loaded, writing the absolute
> > path of the file containing the new policy:
> >
> > echo /path/of/custom_ima_policy > /sys/kernel/security/ima/policy
> >
> > When this is not required, policy can be written directly, rule by rule:
> >
> > echo -e "measure func=BPRM_CHECK mask=MAY_EXEC\n" \
> > "audit func=BPRM_CHECK mask=MAY_EXEC\n" \
> > > /sys/kernel/security/ima/policy
> >
> > In this case, a new policy can be loaded without being measured or
> > appraised.
> >
> > Add a new critical data record to measure the textual policy
> > representation when it becomes effective. Include in the
> > architecture-specific policy the new critical data record only when it
> > is not mandatory to load a signed policy. Additionally, enable the
> > policy serialization code even when CONFIG_IMA_READ_POLICY=n.
> >
> > To verify the template data hash value, convert the buffer policy data
> > to binary:
> > grep "ima_policy_loaded" \
> > /sys/kernel/security/integrity/ima/ascii_runtime_measurements | \
> > tail -1 | cut -d' ' -f 6 | xxd -r -p | sha256sum
> >
> > Signed-off-by: Enrico Bravi <enrico.bravi@polito.it>
>
> Thank you for making the changes.
>
> [ ... ]
>
> > diff --git a/security/integrity/ima/ima_policy.c
> > b/security/integrity/ima/ima_policy.c
> > index f7f940a76922..0a70d10da70a 100644
> > --- a/security/integrity/ima/ima_policy.c
> > +++ b/security/integrity/ima/ima_policy.c
>
> > @@ -2379,3 +2378,70 @@ bool ima_appraise_signature(enum kernel_read_file_id
> > id)
> > return found;
> > }
> > #endif /* CONFIG_IMA_APPRAISE && CONFIG_INTEGRITY_TRUSTED_KEYRING */
> > +
> > +/**
> > +* ima_measure_loaded_policy - measure the active IMA policy ruleset
> > +*
> > +* Must be called with ima_write_mutex held, as it performs two
> > +* separate RCU read passes over ima_rules and relies on the mutex
> > +* to prevent concurrent policy updates between them.
> > +*/
> > +void ima_measure_loaded_policy(void)
> > +{
> > + const char *event_name = "ima_policy_loaded";
> > + const char *op = "measure_loaded_ima_policy";
> > + struct ima_rule_entry *rule_entry;
> > + struct list_head *ima_rules_tmp;
> > + struct seq_file file;
> > + int result = -ENOMEM;
> > + size_t file_len = 0;
> > + char rule[512];
> > +
> > + /* calculate IMA policy rules memory size */
> > + file.buf = rule;
> > + file.read_pos = 0;
> > + file.size = 512;
> > + file.count = 0;
> > +
> > + lockdep_assert_held(&ima_write_mutex);
> > +
> > + rcu_read_lock();
> > + ima_rules_tmp = rcu_dereference(ima_rules);
> > + list_for_each_entry_rcu(rule_entry, ima_rules_tmp, list) {
> > + ima_policy_show(&file, rule_entry);
> > + if (seq_has_overflowed(&file)) {
> > + result = -E2BIG;
> > + integrity_audit_msg(AUDIT_INTEGRITY_PCR, NULL,
> > event_name,
> > + op, "rule_length", result, 1);
> > + return;
>
> On failure the new IMA policy will not be measured. Instead of hard coding the
> buffer to 512, define a file static global variable to keep track of the
> maximum
> policy rule size. ima_parse_add_rule() already returns the policy rule
> length.
> Before returning update the max policy rule size variable as necessary.
>
> Here in ima_measure_loaded_policy() allocate/free the buffer.
Yes, this is much better. In this way the check on seq_has_overflowed() should
not be necessary anymore.
Thank you very much for your suggestions.
Enrico
> Missing rcu_read_unlock() before returning.
>
> thanks,
>
> Mimi
>
> > + }
> > +
> > + file_len += file.count;
> > + file.count = 0;
> > + }
> > + rcu_read_unlock();
> > +
> > + /* copy IMA policy rules to a buffer for measuring */
> > + file.buf = vmalloc(file_len);
> > + if (!file.buf) {
> > + integrity_audit_msg(AUDIT_INTEGRITY_PCR, NULL, event_name,
> > + op, "ENOMEM", result, 1);
> > + return;
> > + }
> > +
> > + file.read_pos = 0;
> > + file.size = file_len;
> > + file.count = 0;
> > +
> > + rcu_read_lock();
> > + ima_rules_tmp = rcu_dereference(ima_rules);
> > + list_for_each_entry_rcu(rule_entry, ima_rules_tmp, list) {
> > + ima_policy_show(&file, rule_entry);
> > + }
> > + rcu_read_unlock();
> > +
> > + ima_measure_critical_data("ima_policy", event_name, file.buf,
> > + file.count, false, NULL, 0);
> > +
> > + vfree(file.buf);
> > +}
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH v4 1/2] ima: measure loaded policy after write on securityfs policy file
2026-06-25 14:17 ` Mimi Zohar
@ 2026-06-26 9:36 ` Enrico Bravi
0 siblings, 0 replies; 11+ messages in thread
From: Enrico Bravi @ 2026-06-26 9:36 UTC (permalink / raw)
To: roberto.sassu@huawei.com, linux-integrity@vger.kernel.org,
zohar@linux.ibm.com, dmitry.kasatkin@gmail.com
Cc: eric.snowberg@oracle.com
On Thu, 2026-06-25 at 10:17 -0400, Mimi Zohar wrote:
> On Wed, 2026-06-24 at 16:35 -0400, Mimi Zohar wrote:
> [...]
>
> > > diff --git a/security/integrity/ima/ima_policy.c
> > > b/security/integrity/ima/ima_policy.c
> > > index f7f940a76922..0a70d10da70a 100644
> > > --- a/security/integrity/ima/ima_policy.c
> > > +++ b/security/integrity/ima/ima_policy.c
> >
> > > @@ -2379,3 +2378,70 @@ bool ima_appraise_signature(enum
> > > kernel_read_file_id id)
> > > return found;
> > > }
> > > #endif /* CONFIG_IMA_APPRAISE && CONFIG_INTEGRITY_TRUSTED_KEYRING */
> > > +
> > > +/**
> > > +* ima_measure_loaded_policy - measure the active IMA policy ruleset
> > > +*
> > > +* Must be called with ima_write_mutex held, as it performs two
> > > +* separate RCU read passes over ima_rules and relies on the mutex
> > > +* to prevent concurrent policy updates between them.
> > > +*/
>
> Hi Enrico,
>
> I forgot to mention that the kernel-doc formatting is off. Refer to
> checkpatch.pl for the details. Either change it to a regular comment or
> format
> it properly.
Hi Mimi,
yes, I forgot to check it, I'm sorry about that. I'll fix it.
Thank you,
Enrico
> thanks,
>
> Mimi
> >
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH v4 1/2] ima: measure loaded policy after write on securityfs policy file
2026-06-26 9:32 ` Enrico Bravi
@ 2026-06-26 13:37 ` Mimi Zohar
0 siblings, 0 replies; 11+ messages in thread
From: Mimi Zohar @ 2026-06-26 13:37 UTC (permalink / raw)
To: Enrico Bravi, roberto.sassu@huawei.com,
linux-integrity@vger.kernel.org, dmitry.kasatkin@gmail.com
Cc: eric.snowberg@oracle.com
On Fri, 2026-06-26 at 09:32 +0000, Enrico Bravi wrote:
> >
> > > diff --git a/security/integrity/ima/ima_policy.c
> > > b/security/integrity/ima/ima_policy.c
> > > index f7f940a76922..0a70d10da70a 100644
> > > --- a/security/integrity/ima/ima_policy.c
> > > +++ b/security/integrity/ima/ima_policy.c
> >
> > > @@ -2379,3 +2378,70 @@ bool ima_appraise_signature(enum kernel_read_file_id
> > > id)
> > > return found;
> > > }
> > > #endif /* CONFIG_IMA_APPRAISE && CONFIG_INTEGRITY_TRUSTED_KEYRING */
> > > +
> > > +/**
> > > +* ima_measure_loaded_policy - measure the active IMA policy ruleset
> > > +*
> > > +* Must be called with ima_write_mutex held, as it performs two
> > > +* separate RCU read passes over ima_rules and relies on the mutex
> > > +* to prevent concurrent policy updates between them.
> > > +*/
> > > +void ima_measure_loaded_policy(void)
> > > +{
> > > + const char *event_name = "ima_policy_loaded";
> > > + const char *op = "measure_loaded_ima_policy";
> > > + struct ima_rule_entry *rule_entry;
> > > + struct list_head *ima_rules_tmp;
> > > + struct seq_file file;
> > > + int result = -ENOMEM;
> > > + size_t file_len = 0;
> > > + char rule[512];
> > > +
> > > + /* calculate IMA policy rules memory size */
> > > + file.buf = rule;
> > > + file.read_pos = 0;
> > > + file.size = 512;
> > > + file.count = 0;
> > > +
> > > + lockdep_assert_held(&ima_write_mutex);
> > > +
> > > + rcu_read_lock();
> > > + ima_rules_tmp = rcu_dereference(ima_rules);
> > > + list_for_each_entry_rcu(rule_entry, ima_rules_tmp, list) {
> > > + ima_policy_show(&file, rule_entry);
> > > + if (seq_has_overflowed(&file)) {
> > > + result = -E2BIG;
> > > + integrity_audit_msg(AUDIT_INTEGRITY_PCR, NULL,
> > > event_name,
> > > + op, "rule_length", result, 1);
> > > + return;
> >
> > On failure the new IMA policy will not be measured. Instead of hard coding the
> > buffer to 512, define a file static global variable to keep track of the
> > maximum
> > policy rule size. ima_parse_add_rule() already returns the policy rule
> > length.
> > Before returning update the max policy rule size variable as necessary.
> >
> > Here in ima_measure_loaded_policy() allocate/free the buffer.
>
> Yes, this is much better. In this way the check on seq_has_overflowed() should
> not be necessary anymore.
> Thank you very much for your suggestions.
Right, it isn't necessary, but there's no harm in keeping it either.
>
> > Missing rcu_read_unlock() before returning.
> >
thanks,
Mimi
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH v4 2/2] ima: measure buffer sent to securityfs policy file
2026-06-25 1:05 ` Mimi Zohar
@ 2026-06-29 9:26 ` Enrico Bravi
2026-06-29 16:38 ` Mimi Zohar
0 siblings, 1 reply; 11+ messages in thread
From: Enrico Bravi @ 2026-06-29 9:26 UTC (permalink / raw)
To: roberto.sassu@huawei.com, linux-integrity@vger.kernel.org,
zohar@linux.ibm.com, dmitry.kasatkin@gmail.com
Cc: eric.snowberg@oracle.com
Hi Mimi,
On Wed, 2026-06-24 at 21:05 -0400, Mimi Zohar wrote:
> The Subject line describes "how", not "what". Consider renaming it to "ima:
> measure userspace policy writes before parsing".
thank you, will fix it.
> On Wed, 2026-06-17 at 17:58 +0200, Enrico Bravi wrote:
> > When a signed policy is not mandatory, it is possible to write the IMA
> > policy directly on the corresponding securityfs file:
>
> When a signed policy is not mandatory, userspace can write IMA policy rules
> directly to the securityfs policy file:
> >
> > echo -e "measure func=BPRM_CHECK mask=MAY_EXEC\n" \
> > "audit func=BPRM_CHECK mask=MAY_EXEC\n" \
> > > /sys/kernel/security/ima/policy
> >
> > or by cat'ing the entire IMA custom policy file:
> >
> > cat ima-policy-file > /sys/kernel/security/ima/policy
>
> Because these rules originate from userspace and cross the userspace/kernel
> trust boundary, measure the raw write buffer before parsing.
Thanks for these suggestions, I'll update the patch description.
> >
> > Add input buffer measurement, regardless of whether the new policy
> > will be accepted or not, that can be caught when
> > 'measure func=POLICY_CHECK' is enabled (e.g., ima_policy=tcb). The
> > measurement template is forced to ima-buf.
>
> > This follows the "measure & load" paradigm, exposing potential bugs in
> > the policy code and detecting attempts to corrupt IMA. It also completes
> > the POLICY_CHECK hook, which already measures partial policy load by file.
>
> >
> > To verify the template data hash value, convert the buffer policy data
> > to binary:
> > grep "ima_policy_written" \
> > /sys/kernel/security/integrity/ima/ascii_runtime_measurements | \
> > tail -1 | cut -d' ' -f 6 | xxd -r -p | sha256sum
> >
> > Suggested-by: Roberto Sassu <roberto.sassu@huawei.com>
> > Signed-off-by: Enrico Bravi <enrico.bravi@polito.it>
> > ---
> > security/integrity/ima/ima.h | 1 +
> > security/integrity/ima/ima_fs.c | 1 +
> > security/integrity/ima/ima_main.c | 19 +++++++++++++++++++
> > security/integrity/ima/ima_policy.c | 3 +++
> > 4 files changed, 24 insertions(+)
> >
> > diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
> > index befa221716e5..d477fc06821f 100644
> > --- a/security/integrity/ima/ima.h
> > +++ b/security/integrity/ima/ima.h
> > @@ -455,6 +455,7 @@ void *ima_policy_next(struct seq_file *m, void *v,
> > loff_t *pos);
> > void ima_policy_stop(struct seq_file *m, void *v);
> > int ima_policy_show(struct seq_file *m, void *v);
> > void ima_measure_loaded_policy(void);
> > +int ima_measure_policy_buf(const char *buf, size_t buf_len);
> >
> > /* Appraise integrity measurements */
> > #define IMA_APPRAISE_ENFORCE 0x01
> > diff --git a/security/integrity/ima/ima_fs.c
> > b/security/integrity/ima/ima_fs.c
> > index 65e7812c702f..a277c9135944 100644
> > --- a/security/integrity/ima/ima_fs.c
> > +++ b/security/integrity/ima/ima_fs.c
> > @@ -356,6 +356,7 @@ static ssize_t ima_write_policy(struct file *file, const
> > char __user *buf,
> > 1, 0);
> > result = -EACCES;
> > } else {
> > + ima_measure_policy_buf(data, datalen);
>
> Should failure to measure the input policy rules be audited?
process_buffer_measurement() is already auditing in case of failure before
returning. Do you think it is necessary to audit also at this point?
> > result = ima_parse_add_rule(data);
> > }
> > mutex_unlock(&ima_write_mutex);
> > diff --git a/security/integrity/ima/ima_main.c
> > b/security/integrity/ima/ima_main.c
> > index 5cea53fc36df..599495304712 100644
> > --- a/security/integrity/ima/ima_main.c
> > +++ b/security/integrity/ima/ima_main.c
> > @@ -1221,6 +1221,25 @@ int ima_measure_critical_data(const char
> > *event_label,
> > }
> > EXPORT_SYMBOL_GPL(ima_measure_critical_data);
> >
> > +/**
> > + * ima_measure_policy_buf - Measure the policy write buffer
>
> Consider renaming this function to ima_measure_policy_input(), which parallels
> the function ima_measure_loaded_policy() in the first patch.
My intention with the previous ima_measure_policy_write() name was to highlight
the fact it is not measuring every data sent to the policy file. For example,
writing the path of the file from which reading the new policy does not trigger
this measurement. Eventually, what do you think of ima_measure_raw_policy() or
ima_measure_unparsed_policy()?
Thank you very much,
Enrico
> Mimi
>
> > + * @buf: pointer to the buffer containing the policy write data
> > + * @buf_len: size of the buffer
> > + *
> > + * Measure the buffer sent to the IMA policy securityfs file.
> > + *
> > + * Return 0 on success, a negative value otherwise.
> > + */
> > +int ima_measure_policy_buf(const char *buf, size_t buf_len)
> > +{
> > + if (!buf || !buf_len)
> > + return -EINVAL;
> > +
> > + return process_buffer_measurement(&nop_mnt_idmap, NULL, buf,
> > buf_len,
> > + "ima_policy_written",
> > POLICY_CHECK, 0,
> > + NULL, false, NULL, 0);
> > +}
> > +
> > #ifdef CONFIG_INTEGRITY_ASYMMETRIC_KEYS
> >
> > /**
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH v4 2/2] ima: measure buffer sent to securityfs policy file
2026-06-29 9:26 ` Enrico Bravi
@ 2026-06-29 16:38 ` Mimi Zohar
0 siblings, 0 replies; 11+ messages in thread
From: Mimi Zohar @ 2026-06-29 16:38 UTC (permalink / raw)
To: Enrico Bravi, roberto.sassu@huawei.com,
linux-integrity@vger.kernel.org, dmitry.kasatkin@gmail.com
Cc: eric.snowberg@oracle.com
On Mon, 2026-06-29 at 09:26 +0000, Enrico Bravi wrote:
> > > diff --git a/security/integrity/ima/ima_fs.c
> > > b/security/integrity/ima/ima_fs.c
> > > index 65e7812c702f..a277c9135944 100644
> > > --- a/security/integrity/ima/ima_fs.c
> > > +++ b/security/integrity/ima/ima_fs.c
> > > @@ -356,6 +356,7 @@ static ssize_t ima_write_policy(struct file *file, const
> > > char __user *buf,
> > > 1, 0);
> > > result = -EACCES;
> > > } else {
> > > + ima_measure_policy_buf(data, datalen);
> >
> > Should failure to measure the input policy rules be audited?
>
> process_buffer_measurement() is already auditing in case of failure before
> returning. Do you think it is necessary to audit also at this point?
No, you're correct.
>
> > > result = ima_parse_add_rule(data);
> > > }
> > > mutex_unlock(&ima_write_mutex);
> > > diff --git a/security/integrity/ima/ima_main.c
> > > b/security/integrity/ima/ima_main.c
> > > index 5cea53fc36df..599495304712 100644
> > > --- a/security/integrity/ima/ima_main.c
> > > +++ b/security/integrity/ima/ima_main.c
> > > @@ -1221,6 +1221,25 @@ int ima_measure_critical_data(const char
> > > *event_label,
> > > }
> > > EXPORT_SYMBOL_GPL(ima_measure_critical_data);
> > >
> > > +/**
> > > + * ima_measure_policy_buf - Measure the policy write buffer
> >
> > Consider renaming this function to ima_measure_policy_input(), which parallels
> > the function ima_measure_loaded_policy() in the first patch.
>
> My intention with the previous ima_measure_policy_write() name was to highlight
> the fact it is not measuring every data sent to the policy file. For example,
> writing the path of the file from which reading the new policy does not trigger
> this measurement. Eventually, what do you think of ima_measure_raw_policy() or
> ima_measure_unparsed_policy()?
The policy could have comment lines, which are being measured. Naming the
function ima_measure_raw_policy() is perfect.
>
thanks,
Mimi
^ permalink raw reply [flat|nested] 11+ messages in thread
end of thread, other threads:[~2026-06-29 16:44 UTC | newest]
Thread overview: 11+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-17 15:58 [PATCH v4 0/2] ima: measure write on securityfs policy file Enrico Bravi
2026-06-17 15:58 ` [PATCH v4 1/2] ima: measure loaded policy after " Enrico Bravi
2026-06-24 20:35 ` Mimi Zohar
2026-06-25 14:17 ` Mimi Zohar
2026-06-26 9:36 ` Enrico Bravi
2026-06-26 9:32 ` Enrico Bravi
2026-06-26 13:37 ` Mimi Zohar
2026-06-17 15:58 ` [PATCH v4 2/2] ima: measure buffer sent to " Enrico Bravi
2026-06-25 1:05 ` Mimi Zohar
2026-06-29 9:26 ` Enrico Bravi
2026-06-29 16:38 ` Mimi Zohar
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox